10-02-2018 03:28 AM
For a customer PoC I have a pair of ISE installed and have added several network devices (e.g Cisco, Arista, F5, Aruba, and HP) for device administration where some are administrated viaTACACS+ and some over RADIUS. The goal here is to replace an old ACS system and an old RADIUS Server (FREE-RADIUS).
My particular issue is currently the HP switches. I have set up all necessary attributes and settings on the ISE, like for the other vendors. But on the HP I not getting any success.
On the ISE I see the authentication, authorization steps with full success, but the switch tells me permission denied, which is wired. On the old RADIUS system (FREE_RADIUS), my customer is using the Cisco attributes for all HP switches and it works fine there.
I found out if I'm leaving out the "aaa authentication login privilege-mode" command, the given attributes on the ISE seems to work. But I will have to authenticate one time for the level 0 and then again for the enable mode level 15 which I want to avoid and is not used on my customer's environment.
Here an extract of the switch configuration:
radius-server host xx.xx.xxx.xx key xxxxxxxxx acct-port 1646 auth-port 1645
radius-server host xx.xx.xx.xx key xxxxxxxxxx acct-port 1646 auth-port 1645
aaa accounting update periodic 1
aaa authentication login privilege-mode
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
Attributes I have used and tried:
Solved! Go to Solution.
10-02-2018 02:58 PM
Have you tried 'roles=' instead of 'roles*'? Also, you could try with single role 'shell:roles=network-admin' instead and see if it gives any hints.
10-15-2018 11:42 PM
I finally find a solution. Changed the equal sign to the star which has helped and added and IETF attribute service-type=6.
This finally helped and now it is working as expected.
Access Type = ACCESS_ACCEPT
Service-Type = 6
cisco-av-pair = shell:priv-lvl=15
cisco-av-pair = shell:roles*"network-admin vdc-admin\"
10-02-2018 07:27 AM
Do you have list of attributes the FreeRADIUS us sending back? I would match exactly how it is setup on FreeRADIUS. Also, packet capture of what is being sent back from FreeRADIUS would work as well.
10-02-2018 11:38 AM
I did exactly the same as you proposed.
That are a dump from the FREE-RADIUS
10-02-2018 02:58 PM
Have you tried 'roles=' instead of 'roles*'? Also, you could try with single role 'shell:roles=network-admin' instead and see if it gives any hints.
10-15-2018 11:42 PM
I finally find a solution. Changed the equal sign to the star which has helped and added and IETF attribute service-type=6.
This finally helped and now it is working as expected.
Access Type = ACCESS_ACCEPT
Service-Type = 6
cisco-av-pair = shell:priv-lvl=15
cisco-av-pair = shell:roles*"network-admin vdc-admin\"
10-16-2018 09:17 AM
Appreciate posting working configuration. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide